Installing and Configuring Fail2Ban in Ubuntu 20.04

When the SSH port is exposed through the Internet, threat actors will try to challenge its security by attempting to brute force it. This is true for most of the standard protocols. Reducing the attack surface by closing unnecessary ports is a must.

Essentially, Fail2ban is a utility that will protect servers against brute-forcing attacks.

This guide describes how a service called Fail2Ban can be installed and configured in Ubuntu 20.04 to protect the SSH port. It’s very rare to need to expose SSH to the whole internet by the way. This tool is most suitable for protecting services from abuses, such as your Web Application in which we need to expose the application publicly.

Nevertheless, this guide is focused on protecting SSH.

In principle, Fail2Ban is capable to interact with iptables firewall to automatically block an IP address when the number of unsuccessful login attempts hits a given threshold or rules defined in this guide.

Installing the Fail2Ban service

sudo apt-get update -y && sudo apt-get upgrade -y

2. Install fail2ban

sudo apt-get install fail2ban

3. Ensure fail2ban runs at the system startup (this is important in the event the system reboot)

systemctl enable fail2ban.serviceroot@another-fail2ban:~# systemctl enable fail2ban.service
Synchronizing state of fail2ban.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable fail2ban

4. Make sure that Fail2Ban config file exists at /etc/fail2ban/

ls /etc/fail2ban/action.d fail2ban.d jail.conf paths-arch.conf paths-debian.conf
fail2ban.conf filter.d jail.d paths-common.conf paths-opensuse.conf

Configuring Fail2Ban settings

sudo cp /etc/fail2ban/jail.{conf,local}

In order to configure the Fail2Ban based on our ban policy, we need to edit the just created /etc/fail2ban/jail.local file

sudo vi /etc/fail2ban/jail.local

Whitelisting your IP Address

ignoreip = 127.0.0.1/8 ::1 {Your IP Goes Here}

Note that white-listed IP Addresses are separated by white space.

Configuring Ban time

Uncomment the ban time setting in the jail.local configuration file so it looks like this:

bantime = 1d

Note if you want to permanently ban a client, put a negative number in the bedtime setting.

Configuring Find Time and Max Retry flags

Let’s say our approach is to ban a client for 1 day when there have been 5 failed login attempts within a 10-minute window, you need to change this setting:

bantime = 1dfindtime = 10mmaxretry = 5

Then restart the fail2ban service by running:

systemctl restart fail2ban

and check its status:

root@ubuntu-s-1vcpu-1gb-nyc3–01:~# sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 5
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 185.156.74.65

Easiest way: Setting up a filtering Service

vi /etc/fail2ban/jail.d/sshd.conf

2. Paste the following configuration

[sshd]
enabled = true
port = ssh
action = iptables-multiport
logpath = /var/log/auth.log
bantime = 1d
findtime = 10m
maxretry = 5

3. Then restart the fail2ban service by running:

systemctl restart fail2ban

4. Make sure the service is up and running

systemctl status fail2ban

5. Tail /var/log/fail2ban.log to see how the log looks like. When an IP Address is banned, the log looks like this:

root@fail2bandemo:/etc/fail2ban/jail.d# tail /var/log/fail2ban.log 
2021–01–06 14:54:24,678 fail2ban.actions [14255]: INFO banTime: 86400
2021–01–06 14:54:24,678 fail2ban.filter [14255]: INFO encoding: UTF-8
2021–01–06 14:54:24,678 fail2ban.filter [14255]: INFO Added logfile: ‘/var/log/auth.log’ (pos = 2012, hash = c2a531b8ff571067a4dc30dfb761f6be1ac370e3)
2021–01–06 14:54:24,680 fail2ban.jail [14255]: INFO Jail ‘sshd’ started
2021–01–06 14:58:07,125 fail2ban.filter [14255]: INFO [sshd] Found 142.93.21.15–2021–01–06 14:58:06
2021–01–06 14:58:13,640 fail2ban.filter [14255]: INFO [sshd] Found 142.93.21.15–2021–01–06 14:58:13
2021–01–06 14:58:18,521 fail2ban.filter [14255]: INFO [sshd] Found 142.93.21.15–2021–01–06 14:58:18
2021–01–06 14:58:22,720 fail2ban.filter [14255]: INFO [sshd] Found 142.93.21.15–2021–01–06 14:58:22
2021–01–06 14:58:27,193 fail2ban.filter [14255]: INFO [sshd] Found 142.93.21.15–2021–01–06 14:58:27
2021–01–06 14:58:27,591 fail2ban.actions [14255]: NOTICE [sshd] Ban 142.93.21.15

6. Check the fail2ban service with fail2ban-client

root@fail2bandemo:/etc/fail2ban/jail.d# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 5
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 142.93.21.15
root@fail2bandemo:/etc/fail2ban/jail.d#

References

Software Engineer and Application Security Engineer focused on Cybersecurity, Web Application Security, Research and Development. Based in Costa Rica